We’ve worked with a number of really great hosting providers that go above and beyond for their customers.
See, web hosting isn’t about just giving up some space in your data center and leaving your client to their own devices. A good hoster is going to help you navigate through all your critical business needs. This includes optimizing your site or application, helping with performance testing, and making sure your site is secured. Another key task that they can help you with is achieving compliance, which is something that I’ve talked about in the past. Your hosting provider is going to take an active role in helping your company achieve compliance. Well, the good ones do anyway.
If you deal with sensitive personal information or perform millions of transactions a year, you’ll want to read about how hosting providers help SaaS vendors with Compliance.
Security does NOT EQUAL Compliance
First off, security does not necessarily equal compliance and it’s something that SaaS vendors know all too well. Even if you’re working hard and covering all the angles in bolting down security across all your web servers, you know that your clients and probably even your client’s clients will want to make sure a third-party checks out your controls and processes to provide assurances of security and compliancy.
It’s not IF, it’s When.
It’s only a matter of time before the auditors come calling. And if you’ve been through an audit before, you know how painful this experience can be.
SaaS vendors must be dependable – keeping the system online, functional and secure for their customers that depend on it. To obtain this assurance, many of your clients will request proof that your business has proper controls in place and have been reviewed by a third party accounting firm. Controls for these services usually are designed based on a combination of security, confidentiality, availability, processing integrity and privacy principles. The appropriate combination will depend upon the product/service offered, level of data confidentiality required, and any customer-specific requirements/requests.
No matter what type of software you deliver – healthcare, CRM, accounting or otherwise – it is common to see audit reports in RFPs.
Mostly likely your SaaS app has a lot of moving parts – integrations, partners etc. – and your auditors are going to want to know you’ve got all of it covered. The audit is going to literally involve dozens upon dozens of spreadsheets and hundreds and hundreds of questions.
A good hosting provider is with you step-by-step
Some of the questions involve your hosting provider and they will be sure to take those on. But in areas that don’t directly impact them, find one that won’t just walk away.
While different organizations could be responsible for different aspects of security and making things compliant, a good hosting provider is with you step-by-step, providing you as much data and evidence as you need to fill these massive spreadsheets out.
We know that providing data and evidence for audits is a nightmare for clients, and quite frankly, often ambiguous. SaaS vendors will often misinterpret questions and waste a lot of time providing responses that didn’t fit what the auditors were looking for.
Whether you are being audited for the first time or the 10th time, make sure your hosting provider can you help with supplying the necessary evidence, call it “Evidence-as-as-Service” if you will, to support your audit and compliance process.
PCI/ DSS for SaaS Vendors
Effectively, Requirement 12.8 of PCI requires service providers (like SaaS vendors) to be compliant and contractually acknowledge their responsibility for protecting the client’s cardholder data, and goes even further in a brief appendix devoted entirely to hosting providers.
Requirement A.1 of Appendix A has four sub-provisions.
- Section A.1.1 requires that each client of the hosting provider only have access to its own cardholder data environment.
This will be one of the first questions that all SaaS vendors should be asking of their hosting provider. And the answer needs to be Yes. Ask your hosting provider to show that all of your customer’s systems are architected to prevent unauthorized exposure of data to other parties.
- Section A.1.2 requires access controls on data such that it allows your customer to access his own data and nobody else.
A comprehensive security program is a must for every SaaS vendor. Make sure that your customer’s credentials and sensitive data is protected through a defensive-in-depth and security-in-layers approach.
- Section A.1.3 requires logging and audit trails, which are mandated by Requirement 10 of PCI.
- Section A.1.4 requires you to “provide for timely forensic investigation” if it suffers a breach.
PCI Compliance requires access to log reports upon request by auditors and regulators, which your hosting provider can help you with. Your provider can handle all logging and reporting requirements and produce the reports on your behalf if the need should arise.
Hosting providers help SaaS vendors with compliance – what are three factors to consider?
- Experience – your hosting provider should be actively involved in client audits
- Focus – a focus on a collaborative approach to help clients through the long and rigorous audit process.
- “Evidence-as-a-Service” – they are with you step-by-step, providing data and evidence as needed to for all types of compliance audits.